How to create exceptions to the Intune Mobile Application Management (MAM) data transfer policy for iOS and Andriod

Being as Intune Administrator ,you create intune MAM (mobile application management) policy to protect company data at application level. This is independent of any mobile-device management (MDM) solution . For more information about App protection policies ,please refer https://docs.microsoft.com/en-us/intune/app-protection-policies.

Like others ,we created MAM policy and applied to all Microsoft/non-Microsoft (wrapped with intune SDK ) applications and data transfer to managed applications only. We have users who would like to transfer the data or open some of the links from managed applications especially webex etc ,RSA Token with unmanaged applications .Since webex application is not managed application (not wrapped with Intune SDK) ,users will not be able to open any webex links using webex application. In such scenarios, we may have to look for exceptions (iOS/Andriod) .

Microsoft recently introduced exceptions feature with MAM for iOS and Andriod polices.  An exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps. The unmanaged apps that you included in the exception list must be trusted by IT.

This feature applies when you create an Intune Application Protection Policy with data transfer set to Managed apps only like shown below. If you have chosen all apps then you need to create any exception policy since you allowed to open the links with un-managed apps or other apps as well.

image

In this blog post, we will see how to create exceptions for some of the applications which are required by IT to use on their day to day basis. Couple of applications are like Webex, GlobalMeet ,RSA Token etc.

You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data leak risks.

Before we try to configure these exceptions ,we need to find out the some information related to the applications that we are excluding from the MAM policies.

iOS data transfer exceptions
For iOS, we  can configure data transfer exceptions by URL protocol. To add an exception,you need to check the documentation provided by the developer of the app to find information about supported URL protocols.

This is little tricky to find the right URL protocol for all iOS applications however ,for webex, MS given in TechNet site. For webex ,URL protocol is wbx . For other applications that you would like to find the protocol ,you can contact the vendor .
By adding the Webex package as an exception to the MAM data transfer policy, Webex links inside a managed Outlook email message will be opened in intune browser and browser will let these exceptions allowed to open directly in the Webex application.

Android data transfer exceptions:

For Android, we  can configure data transfer exceptions by app package name. It is easy to identify the package name for android applications using Google play store.  The package ID is contained in the URL of the app's page

If i want to search the package ID for webex, RSA Token ID ,go to Google play store and search for Webex ,copy the content after ID= to get the package name.

image

In this case ,it is com.cisco.webex.meetings for webex . for RSA Token: com.rsa.securidapp

Once we got the necessary information ,we will go intune MAM policy that you have already configured with option ‘allow app to transfer data to other apps set to : policy managed apps’ and make these changes.

If you have not set the option to policy managed apps for Allow app to transfer data to other apps ,you will not see select apps to exempt .

Also make sure, you configure this setting on MAM policy with targeted apps select ‘Managed browser’

If you already created Intune MAM policy ,click on the policy ,go to policy settings, look for select apps to exempt ,click on select.

iOS:

image

Add custom with value: wbx;

image

Click ok to save the changes.

For Andriod:

For android, click on select in MAM policy ,add the required applications into the fields that we captured from Google play store.

image

How does it work?

When you get any link (ex: webex) from managed applications like teams,onedrive or outlook  ,you click on the link ,it will be opened in intune managed browser ,then browser will understand there is exceptions made to the URL to open with and intune managed browser will redirect the URL to open with webex or application that is already installed on the device based on the package ID.

I tested this feature and it works perfectly fine.

For more information about  create exceptions to the Intune Mobile Application Management (MAM) data transfer policy https://docs.microsoft.com/en-us/intune/app-protection-policies-exception

 

Hope it helps!

6 Responses to "How to create exceptions to the Intune Mobile Application Management (MAM) data transfer policy for iOS and Andriod"

  1. This doesn't appear to work for iOS. We've been trying to figure out how to exempt the RSA SecurID app for a while now and have gotten nowhere. As you mention in your article, it's easy on Android; you just add "com.rsa.securidapp" to the Exempt Apps list. But for iOS, it doesn't appear to be that simple. If this Tech Net blog post is accurate, it's not possible at all:
    https://social.technet.microsoft.com/Forums/en-US/51f777c9-d660-4ed3-86d4-58d7975a6de6/intune-data-exception-settings

    It suggests that the app has to be approved as a "MAM-enabled" app by Microsoft. The only exception would be in-house developed apps that you wrap with Microsoft's SDK.

    Microsoft's own documentation says that it's possible but says that you need to contact the vendor to determine the "URL protocol"
    https://docs.microsoft.com/en-us/intune/app-protection-policies-exception#ios-data-transfer-exceptions

    I've tried adding/guessing every conceivable permutation of what that value might be but haven't figured it out yet.

    Reply
    1. Hi,
      For ios ,it works different and you need to reach out to vendor team for the information or download the ipa and extract to see the ID or something.
      I haven't played around the ios files except reaching out to vendor.

      Thanks,
      Eswar

      Reply
    1. Hi Pratik,
      You need to contact vendor for the exception ID to add into the MAM policy. for andriod ,you can get it from playstore as discussed in the blog post.

      Thanks,
      Eswar

      Reply

Post Comment